Security

Responsible vulnerability disclosure

We welcome reports from security researchers who follow safe-testing boundaries and act in good faith.

Security contact

Email management@sitrava.online. This address is monitored and will be activated when the mailbox is operational.

Types of reports accepted

  • Authentication and account-security issues
  • Authorisation and access-control issues
  • Sensitive information disclosure
  • Payment or subscription-integrity issues
  • Application vulnerabilities in Sitrava-published applications
  • Infrastructure vulnerabilities affecting Sitrava production systems

Information required

  • A clear description of the issue and its impact
  • Reproduction steps, request/response samples where relevant
  • Any affected URLs, application versions or components
  • Your preferred contact channel and disclosure timeline

Safe-testing boundaries

  • Do not access, alter or destroy data that is not your own.
  • Do not perform automated scanning that degrades service for other customers.
  • Do not exfiltrate more data than is necessary to demonstrate the issue.
  • Do not test social-engineering, physical or third-party integrations without prior written agreement.
  • Do not intentionally disrupt the service, including denial-of-service testing.

Acknowledgement and coordination

We aim to acknowledge new reports promptly and coordinate disclosure with the reporter. Coordinated disclosure timing depends on the severity, complexity and reproducibility of the issue.

Bounty

Sitrava does not currently guarantee a financial bounty. Recognition may be offered on a case-by-case basis.

Legal safe harbour

Reporters who act in good faith within these boundaries will not be pursued by Sitrava for good-faith research. This does not authorise activity that violates applicable law or third-party rights.